Fixes, Not Patches, Are What IT Needs
Security researcher David Litchfield's announcement that he will give vendors only one week to release security patches before he publicly announces new vulnerabilities highlights the difficult debate over how to best protect IT assets.Security researcher David Litchfields announcement that he will give vendors only one week to release security patches before he publicly announces new vulnerabilities highlights the difficult debate over how to best protect IT assets. Software vendors are often slow to fix problems in their products, and outside pressure (through disclosure and media publicity) is often the only leverage customers have to push vendors to be more responsive. Those who regularly examine security bulletins from major software vendors will notice that, unfortunately, far more security bulletins are issued as a result of a third-party vulnerability report than as a result of a vendors internal security audit process.
Even when vendors concede that a vulnerability is serious, they need a reasonable amount of time to check whether the vulnerability exists on all supported versions and on all supported platforms. And once a patch is developed, it needs to be tested, documented and translated. This quality assurance process is essential because, as Peter Coffee reports, security patches can themselves be a source of pain by breaking existing systems.